From nobody Wed Sep 04 08:53:32 2024 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzGVj1WH5z5TSJq; Wed, 04 Sep 2024 08:53:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzGVj0KwMz4XpB; Wed, 4 Sep 2024 08:53:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725440013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZlW64CYagpgsKFdfb4iMjfsRZVX2VoJ5ZsL9/elwwuU=; b=nlYzD75Il60RSfuf+n6n7qfM9MiNUGEeHxQqBwM8/0xcS182Z5Da6JSDujoHJi3UtIrXc/ TmEbwaKj6t+XT0nMeIzu9h2vhZ6UfLWbg08rinqEVM5vZa8iNOUuPgicwgyj3NsQwOqjho Uylt4B3xgEe911n/ScOEkRWN9N9SBJ2yI8o3RqwopBFwy4IbLw0AOPEG/W1MkQ4PSpekon W/YnFCGiH2TFuOoFrLT3jnxfaHMAWyH7tbMiOoqnTMh7jaZIwGC+82QFJx7nQzfHuJqjDX znoDkq0QNjNKNAATSJGnirXxIme959tlPvcocSb+YwTyiZyO3neYzWLTTWlIvQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725440013; a=rsa-sha256; cv=none; b=Ykn30ZScZGzoSNq1f4VuSvqkpjpaeykjhnHyyvf5qVYbIbhGJ3oIYrQw581ngXtXMRycZc IsEcl3vgSXuIotkQKvjIyoN6LL523PhCj0yBPDJoODC4V68Va/7wSoHafP8LPK0pI3/0sH exh1u5dsIryRHyKu0TF5ZmWTQjnYpZbNytcU68wEG4y9dI3a6klIRPFNT4nZmDRGO3BZwu MEmW2eULHdDOYXS+Vu0qHsUnZ1cmHWey80ZxpVsfSSE4NPR2k/fzbwwZf/6PxYFbL1vstq DhP8vPmUo6k5LKLnwRs/qFcloDgD53dfF3foFbVut6VGy7mUyHzm1WAvKiuCnQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725440013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZlW64CYagpgsKFdfb4iMjfsRZVX2VoJ5ZsL9/elwwuU=; b=ASB4MDbCWg8eSWl5X89NUW9sro84A9ZjvLU794uyOdfzj7a33vYL3k2K3t516zS+0VSV+7 FEgjqHY7b4FpyS63jr3QnHlrUCnXT9Pv/rhSsrPAdfb8jq0IZICgbcaUT051dsXj1vl/sx K/Fau8LchKn5m58OZ0zNN2ZWKvNTM+dgvXYdgiJAvP/XJ5MTyJ5A1FJqlgthfnMd3aqHn1 CtEO/DtUS4UebnuM7g/Ege80JHZwMCtGGs/VfnPR9Slx0f+XI4qH7jCIx9sLt6pdhIsPlA l+Fq13/X/MTLwkcnlpWpiPOUGrVWS6DQygsGHwz9BMmhxPn8/ke98u2ngJZuwg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzGVh73h2zHWh; Wed, 4 Sep 2024 08:53:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4848rWqH005759; Wed, 4 Sep 2024 08:53:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4848rWa9005756; Wed, 4 Sep 2024 08:53:32 GMT (envelope-from git) Date: Wed, 4 Sep 2024 08:53:32 GMT Message-Id: <202409040853.4848rWa9005756@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: b822e3fab468 - stable/14 - pf: be less strict about icmp state checking for sloppy state tracking List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: b822e3fab468ffbe941d0758d960e1aa46069a38 Auto-Submitted: auto-generated The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b822e3fab468ffbe941d0758d960e1aa46069a38 commit b822e3fab468ffbe941d0758d960e1aa46069a38 Author: Kristof Provost AuthorDate: 2024-08-26 14:44:20 +0000 Commit: Kristof Provost CommitDate: 2024-09-04 08:38:15 +0000 pf: be less strict about icmp state checking for sloppy state tracking Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja . Thanks! OK mcbride, henning MFC after: 1 week Obtained from: OpenBSD, mikeb , 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 5d492394eb87..e94856b011bf 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6690,6 +6690,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) ||